We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
FAIL2BAN does not block brute force attacks
FAIL2BAN does not block brute force attacks
I am getting this warnings:
root@mx3:/# tail -f /var/log/exim4/mainlog
2016-09-23 19:40:42 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=laurie)
2016-09-23 19:40:42 no host name found for IP address 119.56.129.3
2016-09-23 19:41:00 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=margaret)
2016-09-23 19:41:00 no host name found for IP address 119.56.129.3
2016-09-23 19:41:19 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=maria)
2016-09-23 19:41:19 no host name found for IP address 119.56.129.3
2016-09-23 19:41:37 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=mariah)
2016-09-23 19:41:37 no host name found for IP address 119.56.129.3
2016-09-23 19:41:55 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marie)
2016-09-23 19:41:55 no host name found for IP address 119.56.129.3
2016-09-23 19:42:14 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marilyn)
2016-09-23 19:42:14 no host name found for IP address 119.56.129.3
2016-09-23 19:42:32 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marina)
2016-09-23 19:42:32 no host name found for IP address 119.56.129.3
2016-09-23 19:42:50 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marine)
What can I do to block these faudulent login attempts to dovecot accounts?
root@mx3:/# tail -f /var/log/exim4/mainlog
2016-09-23 19:40:42 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=laurie)
2016-09-23 19:40:42 no host name found for IP address 119.56.129.3
2016-09-23 19:41:00 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=margaret)
2016-09-23 19:41:00 no host name found for IP address 119.56.129.3
2016-09-23 19:41:19 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=maria)
2016-09-23 19:41:19 no host name found for IP address 119.56.129.3
2016-09-23 19:41:37 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=mariah)
2016-09-23 19:41:37 no host name found for IP address 119.56.129.3
2016-09-23 19:41:55 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marie)
2016-09-23 19:41:55 no host name found for IP address 119.56.129.3
2016-09-23 19:42:14 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marilyn)
2016-09-23 19:42:14 no host name found for IP address 119.56.129.3
2016-09-23 19:42:32 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marina)
2016-09-23 19:42:32 no host name found for IP address 119.56.129.3
2016-09-23 19:42:50 dovecot_login authenticator failed for (194.135.89.130) [119.56.129.3]: 535 Incorrect authentication data (set_id=marine)
What can I do to block these faudulent login attempts to dovecot accounts?
Re: FAIL2BAN does not block brute force attacks
This topic may help you --> viewtopic.php?f=10&t=9040&p=30273#p30273
or you can try to add some filters to /etc/fail2ban/filter.d/exim.conf
^\[<HOST>\]: 535 Incorrect authentication data -- this additional line
or you can try to add some filters to /etc/fail2ban/filter.d/exim.conf
Code: Select all
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: Unrouteable address\s*$
^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
^\[<HOST>\]: 535 Incorrect authentication data